Can Our Identities Ever be Reclaimed?

It’s been 22 years since Sandra Bullock struggled to reclaim her identity from cyber-terrorists in The Net, a movie that opened our eyes to the risks of digital identity theft way ahead of its time.

Just as this movie shed light on identity theft, massive breaches of personally identifiable information have a way of sharpening consumers’ attention on the need to secure their identifying data. “Credit freeze” - the credit bureaus really call it a security freeze - has now entered the common vernacular as individuals look to prevent identity theft.

While a credit freeze can protect against the opening of fraudulent credit accounts, it is not an inoculation against identity theft. With all the media attention on the credit freeze process, there is risk of consumers developing a false sense of security. Consumer Reports has published a list of additional threats and steps to protect against them, including the necessity of opening a “my Social Security” account.

However, in an attempt to safeguard identity with this recommendation from Consumer Reports, I learned that if you already have a credit freeze in place, it complicates the process of signing up for a my Social Security account because the Social Security Administration (SSA) wants to use your credit score as a way to ensure its really you. I now have to physically go to an SSA office to open the account, just to prevent someone else from opening it fraudulently. What a mess.

Whether prompted by nostalgia over Sandra Bullock movies or the latest breach, this is a time to consider identity in the digital age, given that most consumer digital identities have been compromised in some way or other. With the vast majority of personal information already compromised, is there any turning back? Is there any way to reclaim our identities? Does it even matter?

Who owns our digital identity?

Asking this question ten years ago, we might have assumed the answer would be “the individual.” But today, corporations can claim consumer digital identities, while Social Security Numbers have always been owned by the federal government (no matter how many times we are asked for them in the doctor’s office).

Our digital identity is the currency that pays for Facebook, Gmail, Twitter and all the rest of the “free” services offered by social media companies. We are not the customers, nor do we truly own these accounts – our digital identities are the product being sold to advertisers. The same is true of the credit bureaus, except in their case, consumers receive few direct services in exchange, while the bureaus use government-issued identifiers and charge us to protect it.

While consumers may find this distasteful when put bluntly, this reality has always been in the fine print of the terms of agreement that no one wants to read.

Do digital identities even matter?

Given that consumers don’t truly own their digital identities, there is a temptation to throw our hands up and forget about trying to protect them. That would be a mistake.

Our real, physical lives are impacted by what happens in the digital realm. It matters if someone steals your Social Security benefits. It matters if your credit score is ruined by fraudulent behavior. It matters if your prescription drugs are re-routed to a thief.

We’ve grown comfortable with free social media services mining our personal information to provide better targeted ads, at least in part because we trust that those companies are not trying to criminally exploit that information. We accept that credit bureaus are going to retain vast amounts of information about us, so that we can obtain credit quickly and easily. Yet, it’s in the best interest of digital service providers to help us secure that information if they want us to continue to use their services.

Securing the use of digital identities

With breach after breach exposing the full picture of our digital identity, we have to face the reality that securing identity attributes is an impossible task. Our consumer digital identities will never be reclaimed. We must assume that attributes like our Social Security numbers, driver’s license numbers, address, birthday, phone numbers, etc. are already exposed to anyone who wants to commit fraud with this information.

If protecting identities and the attributes associated with them is a lost cause, what can be done?

The best approach to ensuring no more of our digital identity falls into the wrong hands is to implement stronger, two-factor authentication (2FA) for the use of digital identities, in a way that is consumer-friendly. All companies and governments that maintain identity and attribute data should be required by regulation to implement 2FA, a solution that significantly enhances authentication security

Some companies, like Facebook, are doing this already, using mobile apps as a means of delivering a soft token. This is typically a six-digit code that refreshes every thirty seconds to satisfy the “something you have” factor, to go along with “something you know” such as the ubiquitous password. The challenge is that not every consumer has a mobile device (although the vast majority do). This is a particular problem for the Social Security Administration, which is dealing with an older generation that is not always as tech-savvy.

That brings us full circle to the experience that I face in trying to protect my information from further risk. While it is somewhat annoying to have to go in person to a local SSA office to register for a “my Social Security” account, the security side of me appreciates this extra step to confirm it’s actually me.

Nothing in security is foolproof, but the cost of the massive breaches of consumer identities that we’ve witnessed over the last few years must be born by more than the consumers it affects. It’s time to get past multiple single factors of “something you know” for authentication and move to making multiple factors the norm. Does anyone believe their mother’s maiden name is an adequate means of extra identification?

Travis Greene, Identity Solutions Strategist at Micro Focus, possesses a blend of IT operations and security experience, process design, organizational leadership and technical skills. After a 10-year career as a US Naval Officer, he started in IT as a Data Center Manager for a hosting company. In early 2002, Travis joined a Managed Service Provider as the leader of the service level and continuous improvement team. Today, Travis conducts research with NetIQ customers, industry analysts, and partners to understand current Identity and Access Management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is Expert Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.